vendor:
phpBB
by:
1dt.w0lf
7.5
CVSS
HIGH
phpBB admin_styles.php commands execution exploit
CWE
Product Name: phpBB
Affected Version From: phpBB 2.0.0
Affected Version To: phpBB 2.0.13
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
2005
r57phpbb_admin2exec.pl
This exploit allows an attacker to execute commands on a phpBB forum through the admin_styles.php file. It has been tested on phpBB version 2.0.13. The exploit works by creating a new style and running SQL queries in the database. The attacker can then execute commands through the created file. The exploit also has the ability to retrieve the database prefix.
Mitigation:
Upgrade to a newer version of phpBB that has patched this vulnerability. Additionally, ensure that the admin_styles.php file is properly secured and access to it is restricted.
